One of the ad networks being used by Major League Baseball on MLB.com is displaying malicious ads to site visitors, Perimeter E-Security researchers reported on Monday. When several Perimeter clients who had recently accessed MLB.com began reporting fake antivirus infections, researchers immediately suspected a polluted ad network was at fault, according to Evan Keiser, a security analyst at Perimeter E-Security.

The malicious advertisement was still active, as of 3PM today, Keiser told Security Watch.

"After page-refreshing MLB.com 20–30 times we were finally given the [malicious] redirect," Keiser wrote on the company's blog post.

The malicious ad in question was a luxury watch ad for www.plentywatch.com, Keiser said. The ad was being pushed by an ad server at adginserver.com. Perimeter also saw that the same image was being spread by an ad network on gipcampaign.com, but there is very little information available about either of these groups other than the fact that they were registered fairly recently around the same time by the same person or entity, according to Keiser.

Fake AV on MLB.comGoing from the advertisement to the fake antivirus infection requires "quite a bit" of user interaction, according to Keiser. The user is prompted to download the installation file for the rogue software after clicking on the online ad. The variant, "Windows Secure Web Patch," then pretends to scan the computer and finds problems that it will remove only if the user registers the software for $99.99.

"Needless to say, this program is fraudulent, so do not purchase it," Keiser warned.

Perimeter is currently investigating what other sites are displaying this malicious ad. Keiser said this specific ad server had been serving up fake antivirus on MLB.com as far back as May 25.

"One of the users who reported it to them [mlb.com] didn’t seem to have the best experience dealing with their support,” Keiser said.

Lucrative ScamsFake antivirus and other types of scareware are actually a lucrative source of income for cyber-criminals involved in the scam, including the distributors as well as the owners. Distributors get paid for every person that downloads and installs the software and the campaign operators pocket the registration fee from the users. They can also sell of any other personal or financial information the user entered in the registration form, such as addresses and credit card numbers.

Perimeter identified 22 URLs involved with this particular malware campaign, all of them with India's .in domain suffix. It appears some of these domains are part of a large 600-plus pool of domains currently being used in "quite prevalent 'fake antivirus' malware campaign," Daniel Wesemann wrote on the SANS Institute's Internet Storm Center blog. The criminals behind the campaign are frequently changing the executables being pushed to avoid detection by security vendors, according to Wesemann.

How Criminals Use Online AdsMalicious advertisements are sneaky because they are often served up by otherwise legitimate ad networks. Most website publishers don't display their own ads, but partner with an ad network which has a pool of online ads ready to be served. If criminals have accounts on these networks, they scan slip malicious advertisements into the rotation. Site visitors who click on the advertisement are directed to the malicious site and infected. This way, criminals can infect visitors to a certain website without even going through the time-consuming process of hacking that site.

Early last year, the public website for the London Stock Exchange was hit by a similar campaign when one of the online ads turned out to be malicious.

Online advertisements are a significant problem, so much that several Internet companies recently banded together to fight malicious online ads. Facebook, Twitter, Google, AOL, and the Interactive Advertising Bureau are among the big names behind the new Ads Integrity Alliance. The group's goal is to combat "badware" collaboratively, according to Maxim Weinstein, the organization's executive director.

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service